Many Millions of Linux are affected by this security hole
Posted: Wed 20 Jan 2016, 06:58
(old)Puppy Linux Discussion Forum
READ-ONLY Archive
https://oldforum.puppylinux.com/
Many Millions of Linux are affected by this security hole
Page 1 of 3
Posted: Wed 20 Jan 2016, 17:24
Thanks GCM, I'm glad I never gave in to the temptation to bank online.
Posted: Wed 20 Jan 2016, 19:01
I tried the reported kernel vulnerability.
Took the addresses from system.map for my kernel
version 4.1.6 for prepare_kernel_cred and commit_creds
It took 37 min to complete
I am still not root at the end?
Maybe a bit overestimated this bug?
I couldn't reproduce?
posted at their site about it too but seems like they deleted it?
perhaps they just want publicity?
Took the addresses from system.map for my kernel
version 4.1.6 for prepare_kernel_cred and commit_creds
It took 37 min to complete
Code: Select all
$ ./cve_2016_0728 PP_KEY
uid=1000, euid=1000
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1000, euid=1000
$ id -u
1000
$ id -un
alpha
Maybe a bit overestimated this bug?
I couldn't reproduce?
posted at their site about it too but seems like they deleted it?
perhaps they just want publicity?
Posted: Wed 20 Jan 2016, 19:25
I worked at a top three security documents company and transfer programs between investment group banking and Federal Reserve.. I also do NOT do online banking. There is solid active involvement realtime to stop those problems but I only saw it at the intrabank leveleric52 wrote:Thanks GCM, I'm glad I never gave in to the temptation to bank online.
Posted: Wed 20 Jan 2016, 20:14
Hello all. @Scooby, the "Security" is an Industry unto itself.
Some of the recent years finds are a discovery disclosure for which there have been no known exploits. It does gather our attentions. I have often wondered if its about tooting their own horns or if intending to invite exploit attempts or to make exploiters aware of "open doors" so that they can say "I told you so".
In Corporate meetings over the many years, the Security people use tactics to get financing from top management. I understand that they have a job to do and to protect. This is done in showing value to the organization in some cases. At fiscal end, their report of thwarting potential exploits allows their budgets to remain.
This is NOT always the case, but, raising worldwide awareness of a bug that has no history of exploits make you wonder why it just wasn't closed without the fanfare.
FYI
Some of the recent years finds are a discovery disclosure for which there have been no known exploits. It does gather our attentions. I have often wondered if its about tooting their own horns or if intending to invite exploit attempts or to make exploiters aware of "open doors" so that they can say "I told you so".
In Corporate meetings over the many years, the Security people use tactics to get financing from top management. I understand that they have a job to do and to protect. This is done in showing value to the organization in some cases. At fiscal end, their report of thwarting potential exploits allows their budgets to remain.
This is NOT always the case, but, raising worldwide awareness of a bug that has no history of exploits make you wonder why it just wasn't closed without the fanfare.
FYI
Posted: Wed 20 Jan 2016, 20:22
For Puppy where users run as root anyway ... users gaining access to root isn't a vulnerability ... its a feature. Therefore only if you're running servers is this a issue, otherwise just count it as anti-Linux noise.Vulnerability allows restricted users and apps to gain unfettered root access
Posted: Wed 20 Jan 2016, 20:24
It would appear that one must not be root at the start of the test.
One then becomes root at the end if the bug is present.
One then becomes root at the end if the bug is present.
Posted: Thu 21 Jan 2016, 06:59
Ha! another reason to stick with Slacko 5.6The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring
Everything after that uses kernels that are well penetrated.
Posted: Thu 21 Jan 2016, 10:03
Posted: Thu 21 Jan 2016, 10:34
You must have something wrong on your head Bindee. I did not say that this thread is a troll story; I am saying that you --> "DALEB" <-- is a troll, another sockpuppet from the troll Bindee.Daleb wrote:user jamesbond says this is a troll story
http://www.murga-linux.com/puppy/viewto ... 124#883124
Your first two posts after you registered is:
a) Is Fatdog64 Contributed thread infested with RATs?
b) The just released Fatdog64 702rc has a compromised kernel.
Yet, you are not a Fatdog64 user nor a Puppy user. So why should you care?
You, sir, is a troll. Your presence here in this forum is a disservice to all. You do not belong here. Now go back to where you came from, troll!
Posted: Thu 21 Jan 2016, 12:55
Would be nice if people bather to look past the headlines and look a bit further.
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.
Regarding Android, the user must install the malicious app (none know yet)...
Puppy runs as root.It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.
Regarding Android, the user must install the malicious app (none know yet)...
Posted: Thu 21 Jan 2016, 23:58
Much ado about not a lot, according to ZDNet:
http://www.zdnet.com/article/how-to-fix ... o-day-flaw
http://www.zdnet.com/article/how-to-fix ... o-day-flaw
Posted: Fri 22 Jan 2016, 02:09
Thanks @6502Coder. The article drives home what I shared earlier.
Posted: Fri 22 Jan 2016, 20:19
Okay what I gained from reading the link is that my test to elevate6502coder wrote:Much ado about not a lot, according to ZDNet:
http://www.zdnet.com/article/how-to-fix ... o-day-flaw
privileges on kernel 4.1.6 is beause SMEP or SMAP is activated.
SMEP and SMAP seems to be activated by default if CPU supports it?
I cannot however to find any command to check if SMEP or SMAP
is activated for my booted kernel?
Does anyone know?
*EDIT*
Saw some mention that this could verify SMEP
Code: Select all
cat /proc/cpu | grep smep Code: Select all
> zgrep X86_SMAP /proc/config.gz
CONFIG_X86_SMAP=y
So why does the exploit fail?
.
Posted: Fri 22 Jan 2016, 21:04
Well put indeed. This is FUD at best... as are most of these supposed 'exploits' or 'flaws'. Linux is about 95+% secure from this crap (assuming you don't run WINE) -- not by design, but because nobody of consequence in any position to create an exploit like that actually cares about Linux anything anywhere. It is wasted time and productivity better spent elsewhere. The few exceptions to this rule (Wikipedia has a page on them) are not really worth mentioning -- a double handful (maybe) of abortive efforts, all at least five years out of date (and I want to say more like fifteen for most). A goodly percentage aren't even in circulation anymore as I understand it. They have been completely eradicated.mavrothal wrote:Would be nice if people bather to look past the headlines and look a bit further.Puppy runs as root.It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.
Regarding Android, the user must install the malicious app (none know yet)...
Viruses, worms, trojans, etc are about MONEY, just like everything else in this world. Money, and want of it, and greed over it. Think of all the fake antivirus crap that Windows users get, begging them to install backdoor-laden programs that just spew out more of the same. Look at Cryptolocker and its ilk. Not to mention that "FBI" virus that had people mail prepaid Wal*Mart cards to strange addresses. Yes, all of those actually WORKED, at least enough to satisfy their creators.
There is no meaningful market for that trash here on Linux, and there never has been, because not enough people are willing to move here from The Dark Side to make it worthwhile. (Perhaps we should be thankful, particularly given the state of modern computer education...) If M$ ever goes under *and* people don't just shuffle over to That Fruit Company and get their daily dose of bloated disposable crapware from there, then we might at that point have something to talk about.
In the meantime, Shakespeare said it best. "Much ado about nothing." A statement particularly true, in this case, of Puppy Linux as a whole.
Posted: Fri 22 Jan 2016, 22:50
I'm pretty sure if somebody found a way to make malware coded for linux that can be also be compiled onto Windows and OS X, then we would be in big trouble.
Posted: Fri 22 Jan 2016, 23:10
Yes, and in the distant past there's been one or two of those.
Trouble is, everyone doing it found that targeting Linux is a waste of time... or something to that effect.
The primary point is that all this bellyaching about security "holes" is wasted energy -- almost none of these supposed issues will have actual malware developed to take advantage of them, and for the exceptions that prove the rule there's patching and updates. User doesn't want to install an update? That's their problem, not mine.
Quit bangin' the drum, there's no trouble here...
...unless you WANT the likes of Norton and McAffee trying to make Linux "more secure" with their useless bloated offal...?
Trouble is, everyone doing it found that targeting Linux is a waste of time... or something to that effect.
The primary point is that all this bellyaching about security "holes" is wasted energy -- almost none of these supposed issues will have actual malware developed to take advantage of them, and for the exceptions that prove the rule there's patching and updates. User doesn't want to install an update? That's their problem, not mine.
Quit bangin' the drum, there's no trouble here...
...unless you WANT the likes of Norton and McAffee trying to make Linux "more secure" with their useless bloated offal...?
Posted: Fri 22 Jan 2016, 23:15
if smartphones can be exploited with malicious apps then why can't desktops be exploited in the same way?? we have a users contributed packages section that doesn't seem to be checked from the strange reply i received
Posted: Sat 23 Jan 2016, 18:45
The exploit POC doesn't work see
https://www.reddit.com/r/linux/comments ... y_patched/
If you want to try there is an easy version at
https://gist.github.com/libcrack/ac371cd9737cbf7997fa
https://www.reddit.com/r/linux/comments ... y_patched/
If you want to try there is an easy version at
https://gist.github.com/libcrack/ac371cd9737cbf7997fa
Posted: Sun 24 Jan 2016, 17:46
Very well put, starhawk. Couldn't have put it better myself.starhawk wrote:Well put indeed. This is FUD at best... as are most of these supposed 'exploits' or 'flaws'. Linux is about 95+% secure from this crap (assuming you don't run WINE) -- not by design, but because nobody of consequence in any position to create an exploit like that actually cares about Linux anything anywhere. It is wasted time and productivity better spent elsewhere. The few exceptions to this rule (Wikipedia has a page on them) are not really worth mentioning -- a double handful (maybe) of abortive efforts, all at least five years out of date (and I want to say more like fifteen for most). A goodly percentage aren't even in circulation anymore as I understand it. They have been completely eradicated.mavrothal wrote:Would be nice if people bother to look past the headlines and look a bit further.Puppy runs as root.It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.
Regarding Android, the user must install the malicious app (none know yet)...
Viruses, worms, trojans, etc are about MONEY, just like everything else in this world. Money, and want of it, and greed over it. Think of all the fake antivirus crap that Windows users get, begging them to install backdoor-laden programs that just spew out more of the same. Look at Cryptolocker and its ilk. Not to mention that "FBI" virus that had people mail prepaid Wal*Mart cards to strange addresses. Yes, all of those actually WORKED, at least enough to satisfy their creators.
There is no meaningful market for that trash here on Linux, and there never has been, because not enough people are willing to move here from The Dark Side to make it worthwhile. (Perhaps we should be thankful, particularly given the state of modern computer education...) If M$ ever goes under *and* people don't just shuffle over to That Fruit Company and get their daily dose of bloated disposable crapware from there, then we might at that point have something to talk about.
In the meantime, Shakespeare said it best. "Much ado about nothing." A statement particularly true, in this case, of Puppy Linux as a whole.
The likes of arstechnica and zdnet have to publish something to get people's attention, and make them want to visit their sites.
'Much Ado About Nothing' indeed, as The Bard himself put it.....
And from another zd.net article about this same subject:-
http://www.zdnet.com/article/how-to-fix ... -day-flaw/
...this quote:-
'Nuff said, really.This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."
Mike.